[Samba] Unable to set SeDiskOperatorPrivilege
Rowland penny
rpenny at samba.org
Fri Jan 15 12:24:57 UTC 2016
On 15/01/16 12:08, Henry McLaughlin wrote:
>
>
> On 15 January 2016 at 22:28, Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>> wrote:
>
> On 15/01/16 11:12, Henry McLaughlin wrote:
>
>
> Have you by any chance given Administrator a uidNumber ?
>
>
> Yes, 10000
>
> Was that wrong?
>
>
>
>
> Well, in my opinion, yes. By giving Administrator a uidNumber, you
> have, as far as Unix is concerned, turned it into a normal user
> that doesn't have the rights to do anything.
>
> Is this on a DC ? if so, remove the uidNumber and it should start
> working again, if it is a domain member, again remove the
> uidNumber and add this line to smb.conf
>
> username map = /etc/samba/samba_usermapping
>
> Create the file '/etc/samba/samba_usermapping' with this content:
>
> !root = SAMDOM\Administrator SAMDOM\administrator
>
> Replace 'SAMDOM' with your workgroup
>
> This will map 'Administrator' to the Unix 'root' user
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> Thanks Rowland this worked however I am totally confused as to when a
> Windows User/Groups needs to be given a UNIX id in ADUG. Is there a
> reference out the I can read, study & understand?
It is fairly simple, on a DC, users are mapped to (via idmap.ldb) Unix
automatically. On a domain member, you have a choice of backends, but
the two main ones are 'rid' & 'ad'. The 'rid' backend works similar
(from an initial view point) to the DC and maps the users & groups to
Unix. The 'ad' backend is different, any user that you want to be
visible to Unix must be given a uidNumber attribute, this number must be
inside the range that is set in smb.conf, you must also give Domain
Users (at least) a gidNumber attribute, this must also be inside the
range set in smb.conf, if you want any other groups to be visible to
Unix, these also must be given a gidNumber.
Any user or group that is visible to Unix, works just like any other
Unix user or group and only has the permissions you assign to them.
Rowland
More information about the samba
mailing list